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1. Introduction 


11 Document Purpose 


This Document is an Active Directory Installation and Training material for End Users 


2. Install Active Directory in Windows Server 2019 


2.1 Requirements. 


Administrator account features a strong password 
Static IP is configured 

Latest windows updates 

Firewall turned off 


a 


3. Server Role Installation 


3.1  IPV6 Disable from Registry 


1. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters: 
2. Create a DWORD named "DisabledComponents", and set it to "ffffffff" 


4. Turn of firewall E Run 


1. Goto Run (Win+ R) type the fi rewall.cpl and click fe Type the name of a program, folder, document, or Internet 


resource, and Windows will open it for you. 


on ok 
Üpen: 





2. Click on advance setting 


— Windows Defender Firewall 
e T +> Control Panel + All Control Panel Items > Windows Defender Firewall ww 0 Search Control Panel 


DR LLL Help protect your PC with Windows Defender Firewall 

Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC 
Allow an app or feature through the Internet or a network. 

through Windows Defender 


i Change notification settings 


Y Turn Windows Defender " e Domain networks Not connected © 


Firewall on or off 








@ Restore defaults m Q Private networks Not connected (v) 
MJ Advanced settings d 
Troubleshoot my network = O Guest or public networks Connected | v) 
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3. Check the firewall and turn off Domain Private and Public profile 


@ Windows Firewall with Advanced Security 
File Action View Help 





es 
ay Sree chet Windows Firewall with Advanced Security on Local Computer 
E Inbound Rules 
ES Outbound Rules 
Ex, Connection Security Rules 
> E Monitoring 


dd Windows Firewall with &dvanced Security provides network security for Windows computers. 


Overview 
Domain Profile 
19 Windows Firewall is off. 


Private Profile 
x] Windows Firewall is off. 


Public Profile is Active 
MÍ Windows Firewall is off. 


e Windows Firewall Properties 


Getting Started 


Authenticate communications between computers 


Create connection security rules to specify how and when connections between computers are authenticated and 
protected by using Internet Protocol security [IPsec]. 


e Connection Security Rules 


View and create firewall rules 


Create firewall rules to allow or block connections to specified programs or ports. ou can also allow a connection onl 
itis authenticated, or if it comes from an authorized user, group, or computer. By default, inbound connections are 
blocked unless they match a rule that allows them, and outbound connections are allowed unless they match a rule tk 
blocks them. 


O Inbound Rules 
ES) Outbound Rules 


Viow currant firawall and IDcac nalic: and actin 


Actions 








Windows Firewall with Advanced Secur.. 4 
& Import Policy... 

da] Export Policy... 

Restore Default Policy 

Diagnose / Repair 

View 

Refresh 

Properties 

Help 





Domain Profile Private Profile Public Profile IPsec Settings 


4. Turn off Domain profile,Private Profile,Public SEDA sE o ae 


Profile and click on apply ok State 


On fecommended) — v. 


dd Firewall state: 
Inbound connections: 
Outbound connections: 
Protected network connections: 


Specify settings that control Windows | Customize.. 
Defender Firewall behavior. 


| Specify logging settings for 


troubleshooting. 





poly 
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5. Set the Time Zone Chennai, Kolkata, Mumbai, New Delhi 


Find a setting 
Time & language 
Date & time 
AF Region & language 


D Speech 


6. Ad Installation Steps: 





Date and time 
12:39 PM, Monday, November 5, 2018 


Set time automatically 

@ ) off 

Set time zone automatically 
@ ) off 

Change date and time 


Change 


Time zone 


| (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi N 


Formats 


First day of week: Thursday 


1. Click the Search button and type Server Manager and then click on the Server Manager. 


ch O 


Best match 


Desktop app 





Filters ^ 
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2. From the Server Manager windows, select Dashboard and under configure this local server, select Add 
Roles and Feature 


Ra Server Manager 


Local Server 


i All Servers 
Wg Filo and Storage Sernces P 





3. Click Next. 


f Add Roles and Features Wizard X 


. DESTINATION SERVER 
Before you begin pee 


| BeforewouBegn ——— | This wizard helps you install roles, role services, or features. You determine which roles, role services, or 


features to install based on the computing needs of your organization, such as sharing documents, or 
Installation Type hosting a website. 


Server Selection , 
To remove roles, role services, or features: 
Start the Remove Roles and Features Wizard 


Before you continue, verify that the following tasks have been completed: 


* The Administrator account has a strong password 
* Network settings, such as static IP addresses, are configured 
* The most current security updates from Windows Update are installed 


If you must verify that any of the preceding prerequisites have been completed, close the wizard, 
complete the steps, and then run the wizard again. 


To continue, click Next. 


L_] Skip this page by default 
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f Add Roles and Features Wizard 


DESTINATION SERVER 


Select installation type Server2019 


Before You Begin Select the installation type. You can install roles and features on a running physical computer or virtual 
machine, or on an offline virtual hard disk (VHD). 


yr: tle 


® Role-based or feature-based installation 
Configure a single server by adding roles, role services, and features. 


Server Selection 


C Remote Desktop Services installation 
Install required role services for Virtual Desktop Infrastructure (VDI) to create a virtual machine-based 
or session-based desktop deployment. 


Ra, Add Roles and Features Wizard 


Select destination server 


Before You Begín Select a server or a virtual hard disk on which to install roles and features. 


Installation Type (€! Select a server from the server pool 


© Seca et a 


Server Roles Server Pool 
Features 


MIU? a egi moows Server 2U1Y 5rtandard 


1 Computer(s) found 

This page shows servers that are running Windows Server 2012 or a newer release of Windows Server, 
and that have been added by using the Add Servers command in Server Manager. Offline servers and 
newly-added servers from which data collection is still incomplete are not shown. 
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Fa Add Roles and Features Wizard 


Select server roles 


Before You Begin Select one or more roles to install on the selected server. 


installation Type Roles Description 


Server Selection | -ET deia ads "- Active Directory Domain Services 

Active Directory Domain Services (AD DS) stores information about 
“TT Active Directory Fee ces objects on the network and makes 

[ ] Active Directory Lightweight Directory Services this information available to users 

[ ] Active Directory Rights Management Services and network administrators. AD DS 

C] Device Health Attestation uses domain controllers to grve 

C] DHCP Server network users access to permitted 

C] DNS Server resources anywhere on the network 

[ ] Fax Server through a single logon process. 
File and Storage Services (1 of 12 installed) 

C] Host Guardian Service 

C] Hyper-V 

C] Network Policy and Access Services 

C] Print and Document Services 

[C] Remote Access 

[C] Remote Desktop Services 

C] Volume Activation Services 

C] Web Server (115) 

C] Windows Deployment Services 

C] Windows Server Update Services 


Features 








7. A Windows will popup - showing additional required features so, click on Add Features. 


fs, Add Roles and Features Wizard 


Add features that are required for Active Directory 
Domain Services? 


You cannot install Active Directory Domain Services unless the 
following role services or features are also installed. 


[Tools] Group Policy Management 
4 Remote Server Administration Tools 
4 Role Administration Tools 
4 AD DS and AD LDS Tools 
Active Directory module for Windows PowerShell 
4 AD DS Tools 

[Tools] Active Directory Administrative Center 
[Tools] AD DS Snap-Ins and Command-Line Tools 


Include management tools (if applicable) 
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8. After adding active directory features so, click next 


Es, Add Roles and Features Wizard 


Select server roles 


Before You Begin Select one or more roles to install on the selected server. 


Installation Type Roles 
Server SC O Active Directory Certificate Services 
Active Directory Domain Service: 
Feds [ ] Active Directory Federation Services 
p C] Active Directory Lightweight Directory Services 

AD DS C] Active Directory Rights Management Services 

[7] Device Health Attestation 

C] DHCP Server 

[_] DNS Server 

C] Fax Server 
- [m] File and Storage Services (1 of 12 installed) 

C] Host Guardian Service 

[C] Hyper-V 

[C] Network Policy and Access Services 

C] Print and Document Services 

[C] Remote Access 

[C] Remote Desktop Services 

C] Volume Activation Services 

[ ] Web Server (IIS) 

C] Windows Deployment Services 

C] Windows Server Update Services 


Confirmation 


9. Default settings and then click on next. 


Es, Add Roles and Features Wizard 


Select features 


Before You Begin Select one or more features to install on the selected server, 


Installation Type 
Server Selection * 
Server Roles NET Framework 4.7 Features (2 of 7 installed) 


ME —— - [] Background Intelligent Transfer Service (BITS) 
[ ] BitLocker Drive Encryption 
AD DS [C] BitLocker Network Unlock 
[C] BranchCache 
C] Client for NFS 
C] Containers 
[C] Data Center Bridging 
C] Direct Play 
[C] Enhanced Storage 
[ ] Failover Clustering 
Group Policy Management 
C] Host Guardian Hyper-V Support 
C] 1/0 Quality of Service 
C] IIS Hostable Web Core 
C] Internet Printing Client 
[C] IP Address Management (IPAM) Server 
[1 S Server service 


Confirmation 














x 


DESTINATION SERVER 
Server2019 


Description 

Active Directory Domain Services 
(AD DS) stores information about 
objects on the network and makes 
this information available to users 
and network administrators. AD DS 
uses domain controllers to give 
network users access to permitted 
resources anywhere on the network 
through a single logon process. 


Description 


NET Framework 3.5 combines the 
power of the .NET Framework 2.0 
APIs with new technologies for 
building applications that offer 
appealing user interfaces, protect 
your customers’ personal identity 
information, enable seamless and 
secure communication, and provide 
the ability to model a range of 
business processes. 


ME | [ Cancet | 
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10. Review about Active Directory Domain Services and then click on next 
Ks Add Roles and Features Wizard - 


DESTINATION SERVER 


Active Directory Domain Services Server2019 


Before You Begin Active Directory Domain Services (AD DS) stores information about users, computers, and other devices 
on the network. AD DS helps administrators securely manage this information and facilitates resource 
installation Type sharing and collaboration between users. 


Server Selection 
Things to note: 


Server Roles * To help ensure that users can still log on to the network in the case of a server outage, install a 


Features minimum of two domain controllers for a domain. 


* AD DS requires a DNS server to be installed on the network. If you do not have a DNS server 


installed, you will be prompted to install the DNS Server role on this machine. 
Confirmation 


Azure Active Directory, a separate online service, can provide simplified identity and 
access management, security reporting, single sign-on to cloud and on-premises web 
apps. 

Learn more about Azure Active Directory 

Configure Office 365 with Azure Active Directory Connect 


Es, Add Roles and Features Wizard x 


DESTINATION SERVER 


Confirm installation selections Sarver2019 


Before You Begin To install the following roles, role services, or features on selected server, click Install. 


Installation Type 


Server Selection Optional features (such as administration tools) might be displayed on this page because they have 
been selected automatically. If you do not want to install these optional features, click Previous to clear 


Server Roles their check boxes. 


Features 
AD DS Active Directory Domain Services 
Group Policy Management 
Remote Server Administration Tools 
Role Administration Tools 
AD DS and AD LDS Tools 
Active Directory module for Windows PowerShell 
AD DS Tools 
Active Directory Administrative Center 
AD DS Snap-ins and Command-Line Tools 





Export configuration settings 
Specify an alternate source path 
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12. Active directory 2019 installation completed and then click on close 


E Add Roles and Features Wizard x 


Installation progress DESTINATION SERVER 


Server2019 


View installation progress 


a Feature installation 
a 


Configuration required. Installation succeeded on Server2019. 


Active Directory Domain Services 
Additional steps are required to make this machine a domain controller. 
Promote this server to a domain controller 
Group Policy Management 
Remote Server Administration Tools 
Role Administration Tools 
AD DS and AD LDS Tools 
Active Directory module for Windows PowerShell 
AD DS Tools 
Active Directory Administrative Center 
AD DS Snap-Ins and Command-Line Tools 


i You can close this wizard without interrupting running tasks. View task progress or open this 
page again by clicking Notifications in the command bar, and then Task Details. 


Export configuration settings 
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7. Configuring Active Directory. 


1. From Server Manager click on notifications icon and then click on Promote this server to a Domain 
controller. 


Es Server Manager 


Server Manager * Dashboard 





A Post-deployment Configura... 
WELCOME TO SERVER MANAG! 


Dashboard 
Encal Server Configuration required for Active Directory Domain 
Services at SERVER2019 


All Servers Promote this server to a domain controller 


AD DS 








DO Feature installation 
File and Storage Services > A à i 


Configuration required. Installation succeeded on 
Server2019. 


Add Roles and Features 





Task Details 


Connect this server to clot 


i 








2. Now under the deployment, operation select add a new forest under the basis name and then click 
on next. 


Kx Active Directory Domain Services Configuration Wizard 


i . TARGET SERVER 
Deployment Configuration Server2019 


Select the deployment operation 


Domain Controller Options = ] Le . 
() Add a domain controller to an existing domain 


^ niti Ooti c p > - 4° 
Additional Options O Add a new domain to an existing forest 


(€) Add a new forest 


Specify the domain information for this operation 
Root domain name; Ixpertstec.local 








More about deployment configurations 


< Previous Next > 
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3. Keep as forest and domain functional level Windows Server 2016 because of the default level. 


Keep the name System (DNS) server and Global Catalog (GC) checked and sort the directory services 
restore mode (DSRM) password and then click on next. 


Kx Active Directory Domain Services Configuration Wizard 


: s TARGET SERVER 
Domain Controller Options Server2019 


Deployment Configuration ! 
Select functional level of the new forest and root domain 





* Forest functional level: | Windows Server 2016 
DNS Options 








Additional Options Domain functional level: | Windows $ Server : 2016 


Paths Specify domain controller capabilities 


Domain Name System (DNS) server 
Prerequisites Check v^ Global Catalog (GC) 
Read only domain controller (RODC) 


Review Options 


Type the Directory Services Restore Mode (DSRM) password 








Password: 
Confirm password: CA ·· c·.. 


More about domain controller options 





4. Ignore warnings within the DNS options window and click on next. 


Fa Active Directory Domain Services Configuration Wizard 
D N S O . TARGET SERVER 
ptions Server2019 


À A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found... Show more x 


Deployment Configuration I i ] 
Specify DNS delegation options 
Domain Controller Options . 
T Create DNS delegation 
Additional Options 
Paths 
Review Options 


Prerequisites Check 


More about DNS delegation 
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fa Active Directory Domain Services Configuration Wizard 


i : TARGET SERVER 
Additional Options Server2019 


Deployment Configuration . . ; a 
Verify the NetBIOS name assigned to the domain and change it if necessary 
Domain Controller Options 


DNS Options The NetBIOS domain name: XPERTSTEC 


Paths 
Review Options 


Prereguisites Check 


Kx Active Directory Domain Services Configuration Wizard 


TARGET SERVER 
Paths Server2019 


Deployment Configuration i i 
Specify the location of the AD DS database, log files, and SYSVOL 
Domain Controller Options | 


DNS Options Database folder: |C:\Windows\NTDS 
Additional Options Log files folder: CAWindowsiNTDS 
Paths SYSVOL folder: C:\Windows\SYSVOL 


Review Options 


Prerequisites Check 
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7. Within the review options window > Review Name, NetBIOS name, and Global catalog, etc. and click 
on next. 


Fa Active Directory Domain Services Configuration Wizard x 


. . TARGET SERVER 
Review Options Server2019 


Deployment Configuration | Review your selections: 
f : 5 — — —— 
Domain Controller Options Configure this server as the first Active Directory domain controller in a new forest. 





DNS Options The new domain name is "xpertstec.local". This is also the name of the new forest. 
— — The NetBIOS name of the domain: XPERTSTEC 
Forest Functional Level: Windows Server 2016 
Prerequisites Check Domain Functional Level: Windows Server 2016 
Additional Options: 

Global catalog: Yes 


DNS Server: Yes 








Create DNS Delegation: No 





These settings can be exported to a Windows PowerShell script to automate 


additional installations 


Fa Active Directory Domain Services Configuration Wizard x 


— TARGET SERVER 
Prerequisites Check Server2019 


O) Ail prerequisite checks passed successfully, Click ‘Install’ to begin installation. Show more x 


Deployment Configuration e : RS 1 eer 
Prerequisites need to be validated before Active Directory Domain Services is installed on this 
Domain Controller Options! computer 


DNS Options Rerun prerequisites check 
Additional Options 


Paths (a) View results 


Review Options A Windows Server 2019 domain controllers have a default for the security setting named — ^ 
"Allow cryptography algorithms compatible with Windows NT 4.0* that prevents weaker 
cryptography algorithms when establishing security channel sessions. 


For more information about this setting, see Knowledge Base article 942564 (http:// 
go.microsoft.com/fwlink/?Linkld- 104751). 


A delegation for this DNS server cannot be created because the authoritative parent 
zone cannot be found or it does not run Windows DNS server. If you are integrating 
with an existing DNS infrastructure, you should manually create a delegation to this 
DNS server in the parent zone to ensure reliable name resolution from outside the 
domain *xpertstec.local". Otherwise, no action is required. 








d If you click Install, the server automatically reboots at the end of the promotion operation. 


More about prerequisites 
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9. When the installation completes, you'll be prompted that your machine is successfully configured as 


a domain controller and can be rebooted automatically. 


Fa Server Manager 


Server Manager * Dashboard 


mE WELCOME TO SERVER MANAGER 





Local Server 


All Servers 


E Configure this local se 


Add roles and features 


^ ^A athar caruare te ^^ 
Add other servers to man! 


Create a server group 











Manage 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 
Active Directory Users and Computers 
ADSI Edit 

Component Services 

Computer Management 

Defragment and Optimize Drives 

Disk Cleanup 

DNS 

Event Viewer 

Group Policy Management 

iSCSI Initiator 

Local Security Policy 


Microsoft Azure Services 
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8. How to Access ADC 


is Type the name of a program, folder, document, or Internet 
resource, and Windows will open it for you. 


1. Go to Run (Win +R) > Type MSTSC 


2. Enter the IP Address of your server and select 
connect 


3. Enter Username and password. Cancel Browse... 





4. You can now open AD using two ways 


s Remote Desktop Connection 


5. GUI: Start Menu > type “Active Directory user and 


computer” in search bar J| Remote Desktop 
| ^») Connection 
6. Command Prompt > Go to Run (Win +R) > Type i 


fur cm 
1T ] Username: Mone specified 


The remote computer name is not valid. Enter a valid remote 
computer name. 


(Œ) Show Options | 





IE Active Directory Users and Computers 
File Action View Help 
€ |n BE iG i» | M Gn | S Iu ED 


T] Active Directory Users and Com | Name Description 
Saved Queries 

w 33 testtestdomain.com There are no items tc 
» [-] Builtin 

| Computers 

> E| Domain Controllers 

> ForeignSecurityPrincipal: 


.| Managed Service Accour 
| Users 
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9. Identity Management 


9.1 How to Create A User 


1. Click the domain name that you created, and then expand the contents. 
2. Right-click Users, Point to New, and then click User 








3. Enter User details 


Pome 
Conn ame 
[v] User must change password at next logon 

| | User cannot change password 


[ ] Password never expires 
[ ]Account is disabled 








9.3 
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Move users in one OU to Another OU 


Open the Active Directory Users and Computers snap-in. 

If you need to change domains, right-click on “Active Directory Users and Computers” in the left 
pane, select Connect to Domain, enter the domain name, and click OK. 

In the left pane, browse to the OU you want to move. 

Right-click on the OU and select Move. 

Select the new parent container for the OU and click OK. 


How to create 
Organization Unit 


Open the Active Directory user 
and computer. 

Right click to new and select 
OU 

Enter the name of OU and 
Select OK 


Create in: abc.com/ 





Name: 


[v] Protect container from accidental deletion 











File Action View Help 
es ma car Aa datiTraa 


Active Directory Users and Com | Name Type Description 








p £] Saved Queries J Builtin builtinDomain 

a [$3 abc.com. — sane Default container for up... 
b C] Bu Delegate Control... inizational... Default container for do... 
b E Co Find... 'ainer Default container for sec... 
> i Da 
b E Fo 
> [El Má Change Domain Controller... 


Change Domain... ainer Default container for ma... 
ainer Default container for up... 


i) Us Raise domain functional level... 


Operations Masters... 





New Computer 
All Tasks Contact 
View Group 


Refresh InetOrgPerson 


Export List... mslmaging-PSPs 


MSMQ Queue Alias 


Organizational Unit 


Printer 


Properties 





Help 





User 
Shared Folder 


T | = 
Creates a new item in this container. 
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Reset the Password for Ad users 


1. Open Active Directory Users and Computers. 
2. Find the user account whose password you want to 


reset. 


3. In the right pane, right click on the user account and 
then click on the “Reset Password” action. 
4. You need to type and confirm the password 


Note: In case you want the 
user to change the password 
during the next logon, you 
must select “User Must 
Change Password at Next 
Logon” option 


9.9 


1. Open Active Directory Users and Computers. 
2. Right-click on the User whose account you 


need unlock 


3. Select Properties from the context menu. 
4. In the Properties window, click on the 


Account tab. 


5. Select the Unlock Account checkbox apply 


ok 


How to unlock AD User Account 


New password: mm 


Confirm password: mnm 


[ User must change password at next logon 
The user must logoff and then logon again for the change to take effect. 
Account Lockout Status on this Domain Controller: Unlocked 


Ir kicks users sce 


[ ox ] c | 








George Bradford 
8, Henry Taylor 
8, Jacqueline Murdi 
& Nick Carter 
z Ray Parker 
2, Susan Clarke 
2 Tony Stark 
2 Confidential Sha 
HE Executives 
82, CEO's Cabinet 


satest01 Properties 


Published Certificates | MemberOf | Password Replication | Object | Security 


Environment 
| Remote Desktop Ser 
General | Address 


| Sessions | Remote control 


[ User must change password at next logon 
[ User cannot change password 
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C] Active Directory Users and Computers 


How to Create Group 


File Action View Help 


| | @9| Hil 4 O|XSSS Pm tee oi 
1. Open the Active Directory 9110140 X0 05/40 8% 7% 


























T Active Directory Users and Computers [a|| Name 9 Type Description 
Users and Computers M Saved Queries Community Tire Rescue Committee Security Group... 
2. H2. ity ty p 
v dd Lio) — H2. |S Helpdesk Security Group... 
console. . (5 Builti p Ett: 
-U Computer BE IS Systems Administrators Security Group... 
š š > Don Controllers RBIS Techs Secunty Group... 
2. In the navigation pa ne, » |) ForeignSecurityPrincipals HI Management Secuiy Group. 
— - BE sal Security Group 
. . g 93 tuo Pob ales ecurity Group... 
select the container In which a = a * Bt Sales Managers Security Group... 
v (33 IT Delegate Control... Security Group... 
yOU Wa nt to store your a IS Helpdesk Move Security Group... 
group. This is typically the — 
Users container under the eee M cm 
. a " Techs All Tasks > Contact 
domain. — m Eme — — — — —] 
I . . > C] Managed Service Acı m InetOrgPerson 
3. Click Action, Click New, and C] Users — msDS-ShadowPrincipalContainer 
š mslmaging-PSPs 
then click Grou p. [a MSMQ Queue Alias 
Refresh — 
Organizational Unit 
4. In the Group name text box, — Printer 
Properties User 
type the name for your new m — 
group. — 
Note: Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a 
naming convention for groups. 
NO JU 5. In the Description text box, enter a description of 
the purpose of this group. 
$a, Create in: TESTDOMAIN.internal/Group Policy OU/Groups - Security 
6. In the Group scope section, select either Global 
Group name: . E : : 
or Universal, depending on your Active Directory forest 
“= | structure. If your group must include computers from 
— "uem multiple domains, then select Universal. If all of the 
O Domain local @ security members are from the same domain, then select Global. 
(8) Global ©) Distribution 
©) Universal ; . 5 
| 7. In the Group type section, click Security. 
8. Click OK to save your group. 
9.7 Add Member to a group 9.8 Update User Attribute 
1. Right Click on the Created Group 1. Right Click on Users 
2. Select Properties 2. Go to properties option 
3. Click on Add in Member Section 3. Click on Attribute Editor 
4. Type the username > Check Names 4. |f Attribute editor option not showing (you 
E need advance features turned on in Ad 
5. When you find the correct user to be le 
. console 
added in the list, Select the user and 
click OK 5. Update the required attribute > Click OK 
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10. Active Directory: Automate System State Backup 


10.1 Backup Policy 


Our first goal is to create an effective Active Directory Backup Policy. The backup 
policy would define the backup approach, tool, frequency, backup location and many other 
important points. 


10.2 Backup Approach 


The most common and recommended approach for AD Backup is the System State Backup 
of Domain Controller. 


A System State Backup of Domain Controller includes following: 


1. Sysvol 

2. Active Directory Database and related files. 

3. DNS Zones and records (Only for AD Integrated DNS) 
4. System Registry. 

5. Call Registration database of Component Service. 

6. System Start up files. 


10.3 Backup Tool 


There are many third party tools available in the market for backing up and restoring Active 
Directory. However, the Windows Server Backup (WBADMIN) tool that comes bundled 
with all versions of Windows Servers is just fine for this purpose. 


In this article, we will discuss the WBADMIN tool that comes bundled with Windows Server 
2012 R2. In this edition, the WBADMIN tool is equipped with some great features which we 
will discuss in the upcoming sections. 


10.4 Backup Frequency 
We strongly recommend the daily backup. In an enterprise environment where data 
changes in every second, restoring an old backup does not make sense. 


Moreover, Microsoft recommends that: "Any backup older than the tombstone lifetime set in 
Active Directory is not a good backup.”. 


For a large enterprise, we strongly recommend to take System State Backup twice a day. 
Windows Server backup tools take incremental backup, so disk space is not a big concern here. 
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10.5 Which Domain Controllers to Backup 


Please note that in a multi domain forest, every Domain needs to be backed up 
separately. This is because there are few partitions which are different for every Domain, like 
Domain Partition and DomainDnsZone partition. 


Microsoft recommends to take backup of at least two Domain Controllers for each 
Domain, and one of those two Domain Controllers should be the Operation Master role 
holder. However, Microsoft does not recommend restoring a Domain Controller which is 
holding the RID Master role. This is to avoid any future RID block conflict. 


Based on the Microsoft recommendation, we have decided to configure backup in two Domain 
Controllers in each Domain, which are in different geographical locations and far from each 
other. This will offer better redundancy and we will schedule the backup in such a way that 
both Domain Controllers will be backed up in different point of time. 


10.6 Backup Method 


Once the System State Backup is scheduled through the WBADMIN tool, the first 
backup will be Full Backup, followed by 14 subsequent incremental backups , and 
then again another full backup. 


So it will follow the below pattern and this cannot be modified : 


First Full Backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups > 1 Full 
backup > 14 Incremental Backups...and so on. 


10.7 Backup Location 


Do not store the backup in a network share. Backup versioning and automatic space 
management (which we will cover in next section) will not work through a network share. 


This is because WBADMIN takes block level backup using VSS, which does not work through 
SMB. 


Always store the backup in a local, non-system volume which is dedicated for storing backup. 
The local disk can be mounted from SAN or (in case of VM) can come from a datastore, but it 
has to be mounted in such a way that it is displayed as a locally mounted disk in the Disk 
Management tool. 


As mentioned before, we will not store anything else on that volume. Also, we cannot use 
System Drive (typically C drive) to store the backup as WBADMIN will not allow storing the 
backup in system drive. 


The disk where the system state backup is stored should be backed up on a regular basis. This 
will be "Backup of Backup" which ensures availability of backup in case the drive is not available 
or corrupted. 
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10.8 Backup Versioning 


Windows Server Backup stores backup versions in volume shadow copies. Once the 
data write is complete, WBADMIN creates a shadow copy of the volume where the backup is 
stored using Volume Shadow Copy Service (VSS). 


This shadow copy retains the Point in time state of the Storage volume where the backup is 
stored, and each Point in Time State is called a Backup Version. 


Backup versioning is one of the most exiting feature of WBADMIN tool. There will be no 
separate folder for each backup, instead, there will be versioning for each instance of backup. 


Every time the backup job is triggered (manually or through scheduled task), a new version is 
created along with a unique snapshot ID and timestamp. 


The command "WBADMIN get versions" will show all the point in time snapshots which are 
present on that server. 


10.9 Review Backup Policy 


Now that we have considered all the points, let's summarize our backup policy. For an 
organization, it is important to document this backup policy and get a sign off from all key 
stakeholders. 





Backup Approach System State Backup 








Backup Tool Windows Server Backup (WBADMIN.EXE) 
Operating System Windows Server 2012 R2 
Backup Frequency Daily 





Domain Controllers to Backup At least Two DCs per Domain, one of those should be FSMO role holder 

















Backup Method Through Scheduled Task (1 Full » 14 Incremental » 1 Full » 14 Incremental) 
Where to Store the Backup In a non-system disk, mounted as a local disk. Not in network share. 
Backup Versioning Versioning will be managed automatically by the backup tool 

Disk Space Management Will be managed automatically by the backup tool 

Service Account NT AUTHORITYNSYSTEM 
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10.10 Configure Windows Server Backup 


10.10.1 In the first step, we will install the Windows Server Backup feature in Windows 


Server. 
1. Open Server Manager 
2. Click on Add roles and features 


3. Under Before 
you begin 
click Next 


4. Under Select 
installation 
type, choose 
Role-based or 
feature-based 
installation 
and click Next 


Fs Add Roles and Features Wizard 


DESTINATION SERVER 
srv01.home lan 


Select one or more features to install on the selected server. 


Features Description 


Windows Server Backup allows you 
to back up and recover your 
operating system, applications and 
¥ Windows Defender Antivirus (Installed) data. You can schedule backups, and 
[ ] Windows Identity Foundation 3.5 protect the entire server or specific 
[ ] Windows Internal Database volumes. 

[m] Windows PowerShell (2 of 5 installed) 

[ ] Windows Process Activation Service 

[ ] Windows Search Service 


|_| VM Shielding Tools for Fabric Management 
[ ] WebDAV Redirector 
[ ] Windows Biometric Framework 


Confirmation 


5. Under Select 


[ ] Windows Server Migration Tools 
[ ] Windows Standards-Based Storage Management 


destination 

server, choose 
your server 
and click Next 


[ ] Windows Subsystem for Linux 
[ ] Windows TIFF IFilter 

[ ] WinRM IIS Extension 

[ ] WINS Server 

[ ] Wireless LAN Service 

v WoW64 Support (Installed) 


¥ XPS Viewer (Installed) 

6. Under Select 
server roles 
click Next 








es 





/. Under Select 
features select Windows Server Backup and Next 


10.10.2 In the second step, we will show you how to configure and perform a backup by 


using Backup Once and Backup Schedule features. 
1. Open Server Manager click Tools and then click on Windows Server Backup 


2. |f you Prompted in the User Account control dialog box, provide the backup Operator 
credentials, and then click OK. 


Click Local Backup 
On the Action menu. Click Backup once. 
In the backup wizard, on the backup options page, click different options and then click next. 


On the Select backup configuration page, click custom and then click next. 


p X XE de p 


On the select items for backup screen click Add items and select System state and Ok. 
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11.Active Directory Sites and Services 


11.1 Configure Sites and Services 


1. Tools > AD Sites and Services 
2. Right Click on Site Name > New Site 


File Action View Help 


+» ea O» Br Bu 
RH Active Directory Sites and Servic|| Name 


a 7 Sites 0 Servers 


4 1 Inter-Site Transports BP NTDS Site Se.. Site Settings 
23 IP 


b SMTP 
b Subnets 
4 [E Default-First-Site-Name | 
A  . Servers 
p g DCI 
b j SRV1 


Type 


File Action View Help 
e| 2m] XE abl B E| a 
AR Active Directory Sites and Servicl| Name Type | 


(13 Si : 
^ ES Si | Delegate Control... E Servers Sorbas 
DS Site Se... Site Settings 


Find... 


New 
All Tasks 


Refresh 
Properties 
Help 





Active Directory 
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Servers Contai... 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 


Active Directory Users and Computers 
ADSI Edit 


Component Services 


Description 


3 Create in: — contoso.com/Configuration/Sites 


Name: [Site 
Select a site link object for this site. Site link objects are located in the 
Sites/Inter-Site Transports container. 

Link Name 

— EFAL 





Transport 
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Action View Help 


e Site SiteA has been created. To finish configuration of SiteA: a =p | 25 ga x Gi (| En | a 


Ensure that SiteA is linked to other sites with site links as appropriate. r : r k 
ia Gis Active Directory Sites and Servic|| Name Type 


Add subnets for SiteA to the Subnets container. a (3 Sites Bf NTDS Site Se... Site Settings 


Install one or more Domain Controllers in SiteA, or move existing DCs a | Inter-Site Transports [3 Servers Servers Contai... 
into the site. oe 


b SMTP 

You will not see this message again until the next time you start Active > es Subnets 

Directory Sites and Services. a [E Default-First-Site-Name 
4 >) Servers 


ee — 


ie Active Directory Sites and Services 


ee NR | 
ewinmxo2ssimi iu 
ai Active Directory Sites and Servic — Type Description 
Inter-Site Trans... 
Inter-Site Trans... 








BB Default-First-Site-Name 
Bl MiLSwitchManesar 
MILWADGujarat 

B MKAGujarat 

BB MRPLChennai 

BB MRPLGujarat 

El MRPLManesar 

BB MRPLPune 

BB RIPLHosur 
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